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Abstract. We introduce the notion of isolated genus two curves. As there 
is no known efficient algorithm to explicitly construct isogenics between two 
genus two curves with large conductor gap, the discrete log problem (DLP) 
cannot be efficiently carried over from an isolated curve to a large set of isoge- 
nous curves. Thus isolated genus two curves might be more secure for DLP 
based hyperelliptic curve cryptography. We establish results on explicit ex- 
pressions for the index of an endomorphism ring in the maximal CM order, 
and give conditions under which the index is a prime number or an almost 
prime number for three different categories of quartic CM fields. We also de- 
rived heuristic asymptotic results on the densities and distributions of isolated 
genus two curves with CM by any fixed quartic CM field. Computational re- 
sults, which are also shown for three explicit examples, agree with heuristic 
prediction with errors within a tolerable range. 



1. Introduction and Background 

A genus two hyperelliptic curve defined over a finite field is a curve that can 
be written in the Weierstrass form 

(1.1) Y' + h{X)Y = f{X), 

where f{x),h{x) G Fg[X], with degf{X) = 5 or 6, and degh{x) < 2. In this article 
we will always assume that all curves considered are non-singular. Note that any 
genus two curve is always hyperelliptic In many cryptographic aspects, genus two 
curves behave similarly to elliptic curves, although some differences do exist. 

The Jacobian variety of an elliptic curve is naturally isomorphic to the curve 
itself, i.e., we may define an additive group structure on the curve itself. However, 
for a genus 2 curve there is no such isomorphism, and we need to work with its 
Jacobian for cryptography. The Jacobian of a genus two curve C is defined as the 
quotient of abelian groups Jc '■= Div°(C)/Prin(C), where Div°(C) consists of all 
degree-zero divisors on C, and Prin(C) is the subgroup of Div°(C) consists of all the 
principal divisors, i.e., divisors generated by a global function on C. The Jacobian 
Jc is also an algebraic variety, and additions on Jc are morphisms of Jc viewed as 
an algebraic variety. 

The security of hyperelliptic curve cryptography on genus 2 curves is based on 
the discrete log problem (DLP) on a cyclic subgroup of Jc(F^). The size of Jc(Fp) 
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is bounded by the well-known Hasse-Weil bound 

(1-2) (V^-l)'<|Jc(F,)|<(V^+ir. 

To implement a secure cryptosystem, we need a large prime order subgroup of 
Jc(Fq) so that q needs to be either a large prime number or a high power of 2. 
Since the base field is very large, there exist a large number of genus 2 curves 
defined over F^. There are about 0{q'^) non- isomorphic genus two curves defined 
over Fq. Suppose that the base field is given, we want to find an answer to the 
question whether all genus 2 curves are equally secure for DLP based cryptography. 
Before we look for an answer to this question, we may take a look at a similar case 
for elliptic curves. 

Following [12j , suppose we are choosing an elliptic curve defined over Fp to build 
an elliptic curve cryptosystem. As p is greater than 3, all curves can be written 
as = + ax + b, with a, & e Fp, which gives 0{p^) elliptic curves defined over 
Fp, but only 0{p) non-isomorphic ones. However, different curves are linked by 
isogenics. By Tate's Theorem, two elliptic curves Ei and E2 are isogenous if and 
only if they have the same number of points over Fp. Since the length of the Weil 
interval is -i^/p, there are O(y^) isogeny classes defined over Fp. Note that if an 
isogeny (j) : Ei E2 is easy to compute, by which we mean it is less time consuming 
compared to the known algorithms for solving the discrete log problem, then the 
discrete log problem on E2 could be reduced to the discrete log problem on Ei . This 
gives us some basic ideas to pick up secure curves for elliptic curve cryptography: 
(1) We need to know whether it is easy to construct an isogeny from a given curve 
E to other curves in the same isogeny class. (2) We might want to avoid choosing 
curves from which isogenics are easy to construct to a large number of other curves, 
for the reason that if the discrete log problem over any of these curves is solved, 
then the discrete log problem on E can also be solved, and the cryptosystem is 
insecure. (3) In that case, our choice of curves should not be random, but quite 
special. 

To answer the first question, in jl2j the authors introduced the term conductor 
gap. Let us consider an isogeny class of ordinary elliptic curves; it contains an 
endomorphism class that has CM by the maximal order End(i?) = Ok for some 
elliptic curve E (see [271). To simplify our discussion we make the assumption 
that K has class number 1, (e.g. K — Q[V— !])• Note that in this case the 
endomorphism class containing K is actually an isomorphism class, i.e., any curve 
that has CM by the maximal order Ok is isomorphic to E. If E' is another curve, 
which has CM by an order O C Ok, then the complexity to compute the isogeny 
from E to E' depends on the largest prime divisor of the index [Ok ■ O] , which is 
called the conductor gap. 

For the second question, we might want to choose curves that have CM by the 
maximal order and have large conductor gaps with any other curves not in the 
same endomorphism class. Note that the Frobenius endomorphism tt, that sends 
any point {x,y) E E{Fp) to {xP,yP), is an endomorphism of E. Hence End(i?) 

contains Z[tt], which has index ^ dil^c ( ^k- Thus if we expect that E has a 
large conductor gap, it is necessary that there exists a large prime number I that 
divides Conversely, if there exists a large prime factor / in jj^^^, then 

we may construct a curve by the CM method Jjj that has I as the conductor gap. 
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Hence we reduced the problem to a ring-theoretic problem involving the conductors 
of all possible orders of K. 

Here is an example from 1^. Suppose we are looking for curves with CM by 
K = Q(-\/— 1). Choose S to be a random fc-bit prime, and choose A to be a random 
even number (perhaps also of k bits, but A may be chosen to have fewer bits) such 
that (i) p = -\- B'^ \s prime, and (ii) either n = 2±i — A or n = ^±1 -(- A is 
a prime. Heuristically one expects to have to test 0{k'^) values of A in order to 
obtain conditions (i) and (ii). Then the curve E over Fp with equation 

(1.3) ~ ax 

has 2n points, where a G Fp is a quadratic non-residue whose quartic residue class 
depends on the sign in n = =F A. The trace of E is ±2A, and its discriminant 
is AA^ — Ap — —AB^. Because B is prime, for A; > 80 it is completely infeasible to 
transport the discrete log problem on E to that on a generic isogenous curve. Note 
that E has complex multiplication by the full ring of integers Z[-\/— 1] (since \/— T 
acts on the curve by (x, y) i— )■ (— x, iy), where i denotes a square root of —1 in the 
finite field); that is, End(ii^) has conductor 1. Up to isomorphism E is the only 
curve in its conductor-gap class, and the endomorphism ring of any of the other 
isogenous curves has conductor B. 

The cases are similar in curves with CM by other imaginary quadratic fields. 
Consider an elliptic curve E with CM by Ok, where K — Q{V—d), and d > 
is square free. If tt G is a Weil p-number, then we have tttt ~ p. As tt can be 
written as tt = A + By/^ if -d = 2, 3 mod 4, and tt ^ A + B ^+^(^ if ee 1 
mod 4, it follows that 

• If -d = 1 mod 4, then p = + AB + ^B'^, and the index of Z[tt] in 
Ok is \B\. Note that a coarse upper bound for |-B| is 2^fpjd 

• If -d = 2, 3 mod 4, then p = + dS^, and the index of Z[7r] in Ok is 
\B\. Note that a coarse upper bound for \B\ is \fpjd. 



2. Endomorphism Classes of Genus Two Curves over Finite Fields 

Let fc = Fg be the finite field with q ~ p^ elements. Let C be a non-singular 
genus two curve defined over A, and let Jc be the Jacobian variety of C. An 
endomorphism of 3c is a morphism preserving the abelian group structure. The 
zero endomorphism is denoted by 0. Note that the endomorphisms of Jc form a 
ring, called the ring of endomorphisms of Jc, or simply, of C. The endomorphism 
ring of Jc is denoted End( Jc) or End(C) if no ambiguity arises. 

We say that the curve C has CM by a totally imaginary field K d Cxi there is 
an embedding of rings l : K End(C) (g) Q. In our situation, where C is a genus 
two curve defined over a finite field, there are two cases we need to consider. If the 
p-rank of C is 1 or 2, that is, if p is nonsupsersingular, then End(C) (g) Q is a field of 
degree 4, and thus the inclusion of fields l must be bijective. If the p-rank of C is 0, 
that is, when C is supersingular, then End(C) is noncommutative and End(C) €5 Q 
is a division ring with K contained in its center. In this paper we assume that C 
is nonsupersingular, that is, End(C) (g) Q X for some quartic CM field K. Thus 
the endomorphism ring End(C) can be identified with a subring of K. Note that 
End(C) is a finite rank Z-module, and hence is finitely generated over Z, which 
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shows that End(C) is integral over Z. Hence End(C) is contained in the maximal 
order Ok- On the other hand, as the Frobenius endomorphism n € K has minimal 
polynomial of degree 4, Z[7r, tt] is contained in End(C). This shows that End(C) 
has to be an order in K, which is summarized as follows. 

Proposition 2.1. Suppose C is a genus two curve defined over a finite field Fp 
with End(C) identified as a subring in K. Then Z[7r, tt] C End(C) C Ok- 

The image of the Frobenius endomorphism tt under the map t is an algebraic 
integer n £ K. The absolute value of all conjugates of tt is y^. An algebraic integer 
in K whose conjugates have absolute value for some prime number p is called 
a Weil p-number in K. 

If End(C) — Ok, we say that C has maximal CM by K. Two curves Ci and 
C2 are said to belong to the same endomorphism class if End(Ci) = End(C2). Any 
isogeny mapping from a curve to another one in the same endomorphism class is 
called a horizontal isogeny. On the other hand, if Ci is a curve with maximal CM 
by Ok and C2 has an order O C Ok as its endomorphism ring, then an isogeny 
(j) : Jci — Jc2 is called a vertical isogeny. Note that we have the following result 
on the degree of a vertical isogeny. 

Proposition 2.2. Let Ci and C2 be as above. Then for any prime number I 
dividing the index [Ok '- O], I also divides deg(j). 

As there is no known efficient algorithm to compute vertical isogenics with large 
prime degree (greater than 80 bits) , it is computationally hard to carry the discrete 
log problem from Ci to C2- Following the above proposition we shall call the 
largest prime number that divides degcf) the conductor gap between Ci and C2- If 
a genus two curve C has large conductor gap with any curve C not in the same 
endomorphism class, then C is said to be isolated. In particular, if the class number 
of if is 1, then the endomorphism class of C consists of only one isomorphism 
class. In that case C has large conductor gap with any curve C not in the same 
isomorphism class, in which case C is said to be strictly isolated. Note that C is 
strictly isolated if and only if C is isolated and the class number of K equals 1. 

It is convenient to consider isolated curves with maximal CM, as there are a 
number of known algorithms to construct such curves. We first note the following 
result in p7] . 

Proposition 2.3. For an isogeny class of genus two curves with CM by K and 
Frobenius endomorphism tt G K , the possible endomorphism rings are precisely 
those orders in Ok which contain tt and tt. 

We have immediately the following 

Corollary 2.4. Suppose C(Fp) is a genus two curve with CM by K with Frobenius 
endomorphism tt K . If [Ok ■ Z[7r,7f]] — I is a large prime number, then C is 
isolated. 

Proof. Since [Ok ■ Z[7r,7f]] = Z is a prime number, we know that for any inter- 
mediate order O, we must have O = Ok or O = Z[tt,tt], which shows that Ok 
and Z[tt,tt] are the only two possible endomorphism rings. Hence for any curve C 
not in the same endomorphism class, C must have Z[7r, ff] as its endomorphism 
ring. As the index of Z[7r, tt] in Ok is a large prime number, we deduce that C is 
isolated. □ 
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To determine whether an isolated curve C is strictly isolated, we need information 
on the size of the endomorphism class containing C . The following proposition in 
[2 7) answers this question. 

Proposition 2.5. The endomorphism class of genus two curves with CM by an 
order O <Z K contains exactly ^C\{0) isomorphism classes. In particular, the 
endomorphism class of genus two curves with maximal CM by K contains exactly 
G\{K) isomorphism classes. 

The above proposition then immediately gives rise to the following 

Corollary 2.6. Suppose C(Fp) is a genus two curve with CM by K with h{K) = 1. 
If [Ok ■ Z[7r, 7f]] — I is a large prime number, then C is strictly isolated. 

Remark 2.7. It is worth noting that other endomorphism classes (other than the 
one with maximal CM) generally consist of a large number of isomorphism classes, 
even if h{K) = 1. We recall the following formula in [S] for the ideal class number 
C1(0) of a general order 



where f = {x G Ok\xOk Q O} is the largest ideal of Ok which is contained in 
O. f is called the conductor of the order O in K. Roughly speaking, the num- 
ber of isomorphism classes contained in an endomorphism class is proportional to 
both h{K) and the index [Ok ■ O]. If the index [Ok ■ O] is very large, then 
there are many isomorphism classes with endomorphism ring O. Moreover, the 
endomorphism class with endomorphism ring Z[7r, ff] consists of the largest number 
of isomorphism classes. In other words, smaller endomorphism rings correspond 
to larger endomorphism classes. If we arrange all the isomorphism classes in an 
isogeny class according to the partial ordering by inclusion of endomorphism rings 
(with Ok at the top), then lower endomorphism classes consist of more isomor- 
phism classes. This seems to be a volcano-like structure. The graph whose vertices 
are formed by isomorphism classes and edges correspond to the isogenies between 
them is called an isogeny volcano. 

We shall also take into account curves with maximal CM by K where [Ok ■ 
Z[7r,7f]] is not a prime number but an almost prime number. That is, [Ok ■ 
Z[iT,Tt]] = Im where / is a large prime number and m is a smooth small inte- 
ger. We assert that in this case any curve C with maximal CM by K has large 
conductor gap between curves with endomorphism ring O such that I | [Ok : O] , or 
equivalently, [O : Z[7r, tt]] | m. Since m is small, there are then only a small number 
of endomorphism classes that do not have large conductor gap with C . Moreover, 
these endomorphism classes consist of relatively smaller numbers of isomorphism 
classes. Hence C has large conductor gap with most isomorphism classes in the 
isogeny class. It is reasonable to call C an almost isolated curve. 

In the following sections we shall discuss explicitly when [Ok '■ Z[7r, 7f]] is a prime 
number (or an almost prime number) for different kinds of quartic CM fields, and 
thus give conditions for an endomorphism class with maximal CM by K to be 
almost isolated, isolated or strictly isolated. 



(2.1) 



#C1(0) 



h{K) #{OKnr 

[0*K : O*] #(0/f)* ' 
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3. Cyclic Extensions with Explicit Integral Basis 

3.1. The curve = a;^ + 1. To initiate our discussion of the conductor gap of 
genus two curves, we would like to first seek a close analogy with the elliptic curve 
= + 1, the example given in [121. Note that the elliptic curve = + 1 
has the maximal number of automorphisms, so we shall look for genus two curves 
with a similar property, i.e., a large automorphism group. The curve — a;^ + 1, 
2/^ = a;^ + 1, = .T^ + x are the three genus two curves which look similar to the 
elliptic curve y^ = x'^ + 1. However, = a;^ + 1 is not simple, which means that 
its Jacobian is isogenous to a product of two elliptic curves. The curve — x^ + x 
is isomorphic to the curve y^ — a;^ + 1. Hence we shall first study the curve 
C:y'^ = x^ + 1. 

First notice that if p is congruent to 1 modulo 5, then there exists a primitive 
fifth root of unity in Fp, which we denote C5 G Fp. Then the map {x^y) 1— >■ 
{C,r^x,y) induces an automorphism on the Jacobian of C(Fp). This shows that the 
endomorphism ring of Jc contains Z[C5], where C5 — e^^^^^ . However, as i^T = Q(C5) 
is a quartic CM field with Ok = Z[7r,7f], we conclude the following 

Proposition 3.1. If p = 1 mod 5 is a prime number, then the endomorphism ring 
ofC(Fp) is isomorphic to Z[C5]. That is, C has maximal CM by K = Q(C5)- If P 
is congruent to 2,3, or 4 modulo 5, then C is super singular. 

Note that the class number h{K) = 1 for if = Q(C5)- Hence the endomorphism 
class containing C consists of only one isomorphism class. Thus C is isolated if and 
only if it is strictly isolated. 

We may pose the following question. For which primes p = 1 mod 5 is the curve 
C(Fp) isolated? To answer this question we need to first determine when the index 
[Ok '■ Z[7r,7f]] is a prime number. Note that this requires the computation of the 
discriminant of tt. 

Lemma 3.2. Suppose tt is a Weil p-number in a quartic CM field K. If it ^ 
then [Z[7r,7f] : Z[k\] = p. 

Proof See [27] §6. □ 



From the above Lemma we deduce that if tt ^ Z[7r], then 
(3.1) [Ok ■■Z[7T,7r]] = 



disc(7r) 



p^disc{K) 

In order to compute the discriminant of tt, we need an explicit integral basis for 
K ~ Q(C5)- An obvious integral basis is {l, Csj C51 Cf }■ But computations show 
that the representation n = A + B^^ + C^f + DCf is not convenient for studying 
the primality of [Ok ■ Z[7r, tt]], and it does not easily generalize to a broader classes 
of curves. 

Another way of choosing an integral basis is the following. Let Kq be the maximal 
real subfield of K, which in this case is Kq = Q{V5). Then |l, ^"^^ j is an integral 
basis for Kq . We would like to extend this integral basis for Kq to an integral basis 
for K. We shall first take a look at how (5, Cf, and Cf are explicitly written as 
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square roots. Note that we have the following equations. 

Cl = -l-l±^ + l('l + V5+V-5-2V5- V-5 + 2V5 



^ (^l + \/5 + \/-5-2\/5- + 2\/5j 



Cl = -1 
This shows that the following set 

{ ^' J (l - ^ + V-5 - 2V5 + V-5 + 2V5) . 

^ + \/5 + -^/-S - 2\/5 - -^/-S + 2\/5^ I 

is an integral basis for K. In this integral basis, we may write tt in the following 
form 

TT = a + h ^^^ (^l-\/5 + V^-5-2\/5+ V^-5 + 2\/5j 

+di (^1 + V5 + - 2V5 - -^/-S + 2^5^ 

= ^ ^(4a + 26 + c + d) + (26 - c + rf)\/5 + (c + d)'\/-5 - 2\/5 + (c - d)\J -b + 2\/5j 
If we set 

(3.2) A = Aa + 2h + c + d 

(3.3) B = 2h- c + d 

(3.4) C = c + d 

(3.5) £> = c-d 

and conversely 

(3.6) a = -A~-B--C--D 

(3.7) b = Ib+^D 

(3.8) c = Ic+^D 

(3.9) d = Ic-^D, 



we deduce that 



(3.10) 7r= i ^A + bV5 + C\/-5-2V5 + L»V'-5 + 2V5^ . 
Since tt is a Weil number, we have tttt = p. Observe that 

(3.11) TTTf = ^(tI^ + + + 5£>2) + ^(2^5 + 2(7^ + 2CD - 2D'^)V5. 
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Setting TTTT = p yields 

(3.12) + + 5C'^ + 5D'^ = 16p, 

(3.13) AB + C'^ + CD - = 0. 
We have the following result on the discriminant of tt. 
Proposition 3.3. Let tt be given in the form 113. 10\) . then 

(3.14) disc(^) = —^2^4(^2 _ _ ^2)2^ 

16 

Proof. The proof is by computation. Details can be found in the proof of Proposi- 
tion mH □ 



Since disc(i4r) = 125, we thus deduce from p.ip that the index of Z[7r, tt] in Ok 
is given by 

(3.15) [Ok ■■ Z[7r, tt]] ^ ^B^ \C^ - 4CD - D^\ . 

Now we get back to our question: when is [Ok ■ Z[7r, tt]] a (large) prime number? 
Note that B^ is a factor of the index, so we take B^ = 1. However, with B = ±1, 
(|3A2l) and ([XTS)) become 

(3.16) p = ^{A^ + 5 + 5C^ + 5D^), 

16 

(3.17) A = ±{D^ - CD -C^). 
Thus we have the following 

Proposition 3.4. Let C : y'^ = + I be defined over Fp, p = I mod 5, with 
Frobenius element tt given in the form \3.1U\) . Then C is (strictly) isolated if 

P= — iiC^ +CD- D^f + 5 + 5(7^ + 5L»2) 
16 

and 

- \C^ - 4:CD - D^\ 
4 ' ' 

is a prime number of greater than 80 bits. 

Computations of the frequency of occurrence of isolated curves C : y^ — 1 
are shown in section 7. 

3.2. Fields similar to Q(C5)- The integral basis chosen above for the CM field 
K ~ Q(C5) ill fact easily generalizes to a larger category of CM fields. For this 
purpose we make the following assumptions on the CM field K. 

(i) K = q,{yj-a-b^/d for some positive integers a, 6, d; 

(ii) d = \ mod 4 is square-free; 

(iii) K is cyclic, which is equivalent to that ~b^d — c^d for some c G Z, c > 0; 

(iv) The set 

h,^^^,^(^l + Vd+^J-a-bVd + e^-a + bVij , 



4 

is an integral basis for K for e = 1 or — 1 



\ i 1 - Vd+ \/ -a - bVd- e\/-a + bVd^ 
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We observe that under the above assumptions for K, any Weil p-number tt S if 
can be written in the form 

(3.18) TT = i + BVd + C\l-a - bVd + D\/-a + bVd^ . 

Next we shall compute the index of Z[7r, tt] in Ok- Note that we have the following 
result on the discriminant of K. 

Lemma 3.5. Let K satisfy the assumptions (i)-(iv) listed above. Then disc(iir) = 
a'd. 

Proof. Proof is computational. □ 

We also have the following computation for the discriminant of tt. 

Proposition 3.6. Let n be a Weil p-number in a field K satisfying assumptions 
(i)-(iv). Then 

(3.19) disc(^) = —B\cC^ - 2bCD - cD^- 

16 

Proof. The proof is computational. □ 
Therefore the index of Z[tt, tt] in Ok can be written as 

(3.20) [Ok : Z[7r,7f]] = ^B^ \cC^ ^ 2bCD - cD^\ . 

We then obtain the following similar results describing whether a nonsupersingular 
genus two curve with CM by K is isolated. 

Proposition 3.7. Let C be a nonsupersingular genus two curve defined over Fp 
with Frobenius element tt given in the form 113. 18\) . Then C is isolated if there are 
integers C, D G Zi such that 

p= _L f (^C^+cCD-^D^X +d + aC^+aD^ 



- IcC^ - 2bCD-cD^[ 
is a prime number of greater than 80 bits. 

Example 3.8. The above proposition provides an algorithm to find explicitly isolated 
curves. Here is an explicit example. Let p — 

771091319962693236371145032994729162932757389399122231169290825163207497497840084770171. 

Then y'^ — + 1 defined over Fp is strictly isolated {hQ((;^) — 1), with a conductor 
gap 

2955859292970642142002483626678135540313500021819, 
a 162-bit prime. 
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4. A Broader Class of Isolated Curves 

The isolated curves considered in the previous sections were mainly curves with 
maximum numbers of symmetry, for example, the curve = + 1. Curves 
with less symmetry should also be considered, although the relevant computation 
in the CM field might be harder. Moreover, curves with index equal to a large 
prime number occur infrequently among all genus 2 curves. Curves with almost- 
prime index should also be considered. We should also consider curves with index 
[Ok ■ Z[7r,7f]] = Im, where I is a large prime number, and m is smooth and small. 
These curves constitute a broader class of curves for use in hyperelliptic curve 
cryptography. 

In this section we shall consider curves with almost-prime index. For this reason 
it is not necessary here to restrict the quartic fields to the category given in the 
above section. We consider curves with CM by cyclic quartic imaginary extensions 

K/Q, with K = Q{V—a — bVd), a,b,d £ Z and = (6^ + c'^)d for some positive 

c e z. 

For simplicity we assume that the Weil p-number n in K can be written as 

(4.1) TT = A + Bw + C'n + Dr]', 

where {l,w} is an integral basis for Kq, and rj £ K is a.n element such that r?^ is 
totally negative in Kq C R. By r]' we denote one of the non-complex conjugate 

Galois conjugates, and let a denote the generator of Ga^if/Q) such that rj' = rf . 
We first compute the discriminant of Z[7r,7f], which is disc(7r)/p^. 

Lemma 4.1. Let n be a Weil p-number in a quartic cyclic extension K/Q. Let a 
be a generator of Gal(if/Q) and p denote complex conjugation. Then 

(4.2) disc(7r) = p2[Tr((7r - ■k''){-k - 7r'"''))]2Tr(7r7r'^(7r - ■kP){tt'' - -k^p)). 
Proof. By the definition of the discriminant we have 

(4.3) disc(7r) = [(tt - 7r^)(7r^ - 7r^)(7r'^ - 7r'')(7r'^'' - tt)]^ [(tt - 7r'')(7r^ - t^"")]^ . 
First note that 

(tt - 7r'")(7r^ - 7r'^)(7r'^ - ttP){'k''p - tt) 

= (2p - -k^-kP - 'K'K"P){2q - -k-k" - -kP-k^p) 

= 4p2 - 2p(7r7r'" + tt'^tt" + ttPtt'^p + tt^^tt) + p [tt^ + {n^f + {nPf + {ir^Pf] 
= p [Tr(7r2) - Tr(7r7r'") - Tr(7r7r'''') + Tr(7r'"7r'"'')] 
= pTr(7r^ - tttt'" -|- tt'^tt^p - tttt^p) 
= pTr[(7r-7r'')(7r-7r''^)]. 
Next note that 

{-K --Kp fiTT" -TlP f 

= {tttt" - tt^ttP + ttPtt^p - n^pTrf 

= (tttt'" + nPTT-'Pf + {tt^ttP + TT'^Pirf - 2(7^" + 'kPtt''P){-k''-kP + tt'^^tt) 
= Tr((7r7r'')2) + Ap^ - 2pTr(7r2) 
= Tr(7r7r''(7r-7r'')(7r'' -tt'^^)). 
Multiplying both parts together, we obtain the desired result. □ 
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We have thus the foUowing 
Corollary 4.2. Let n be a Weil p-number in a cyclic quartic CM field K. Then 
(4.4) disc(Z[7r,7f]) = [Tr((7r - 7r'')(7r - 7r'"''))]2Tr(7r7r'"(7r - 7r'')(7r'" - tt'"")). 
Proof. It suffices to note that disc(Z[7r, tt]) ~ disc(7r)/p^. □ 



Note that the index of Z[7r, tt] in Ok equals Y^disc(Z[7r, tt]) /disc (if). Hence if 
we want the index to have a large prime factor, or to be almost prime, we need 
Tr((7r - 7r'^)(7r - tt'^p)) to be as small as possible, and Tr(7r7r'^(7r - ttP){-k"' - tt'^p)) to 
be large. Taking into account the specific form of tt in (|4.ip . we have the following 
results from computation. 

If c? = 1 mod 4, then we take w ~ i so that {!,?«} is an integral basis 

for Kq. Write ij ~ \/ ~a — b\/d, where a,b can be both integers or half- integers 
to ensure that \/-a±bVd e Ok- Then (T takes \/d to ^\/d and \/—a — by/d to 
\/—a + b\fd. Hence we have the following expressions for all the four conjugates of 

TT. 

(4.5) TT = A + B ^ + C\l-a - + D\j -a + 

(4.6) Tx" = A-B ^ - B\j-a -bVd+ C\J -a + bVd 

(4.7) ttP = A + B ^ - C\l-a - by/d - D\l -a + b^fd 

(4.8) ■K-'P ^ A-B ^ + D]/-a -bVd- C\l -a + b^fd 

If d = 2, 3 mod 4, then we take w = ^/d, so that {1, is an integral basis for 
Ko. Write 77 — \/ —a — b\/d, where a,b € Z. We have the following expressions for 
all the four conjugates of tt. 



(4.9) TT = A + BVd + Cy-a-bVd + Oy -a + bVd 

(4.10) tt" = A - BVd - D\J -a - bVd + C\J -a + bVd 

(4.11) ttP = A + BVd - C\J -a - bVd - D\J -a + bVd 

(4.12) tt'^p = A - BVd + D\J -a - bVd - C\J -a + bVd 

We obtain the following result on the prime factors of [Ok ■ Z[7r, tt]]. 

Proposition 4.3. Let tt be a Weil p-number in the cyclic quartic CM field K = 
QiV -a -bVd) in the form |5./^[ ) or H5.5]} . Then 

(i) B divides [Ok ■ Z[7r,7f]]; 

(ii) // I > disc(iir) is a prime that divides cC^ — 2bCD — cD^ , then I divides 
[Ok : Z[^,7f]]. 

Proof. First we observe that 7i[tt,tt] C X[tt,tt, Vd] C Ok a d = 2,3 mod 4, and 
Z[tt,tt] C Z[tt,tt, ^+^^ ] C Ok if d = 1 mod 4. Note that in both cases we have 
B I Z[7r,7f] C Z[TT,TT,Vd] and B \ Z[tt,tt\ C Z[7r,7f,ii^] respectively. Hence B 
divides [Ok ■ Z[7r,7f]]. 
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Next, for part (ii), we compute the factor (tt — 7r'')(7r°' — tt'^p) of disc(Z[7r, tt]). 
From the formulas for the conjugates of tt we derive that 



2C\I -a - bVd + 2D \I -a + h^/d 
■K^-TT^P = -2D\J-a - bVd + 2C\J -a + bVd 

Hence 



{n - TTP){n'^ - TT^P) = \^2Cy-a-bVd + 2D\/-a + bVdj \^-2Dy-a-bVd+2C\/-a + bVd 

= 4:Vd{cC^ - 2bCD -cD^). 

If Hs a prime that divides cC^ — 2bCD — cD^ but does not divide disc(iir), then 
I must be a factor of disc(Z[7r, 7f])/disc(i4r) and thus I divides [Ok '■ Z[7r,7f]]. This 
completes the proof of (ii) . □ 

We then have the following result from the above proposition on whether a curve 
with maximal CM by a cyclic quartic field K is almost isolated. 

Proposition 4.4. Let C be a genus two curve defined over Fp with maximal CM 
by a cyclic quartic field K . Assume that the Weil p-numbers in K is of the form 
\5.4^ or \5.5\) . depending on whether d = 1 mod 4 or d = 2. 3 mod 4. Suppose 
B = ±\ and cC^ — 2bCD — cD^ is a large prime. Then C is almost isolated. 

Proof. Note that the discriminant of the basis 1 1 , V— a — bVd, \/ —a + 

in Ok is at most 2^^, which is a smooth and small (compared to 2^*^) number. 
Hence by assumption [Ok ■ Z[7r,7f]] has no large prime factor other than I. Hence 
C is almost isolated. □ 



5. Non-normal Extensions 

Let K/ Q be a non-normal quartic imaginary extension. Let p denote the complex 
conjugation. Then K — K^, so the normal closure of K, say L, has degree 8 over 
Q, and Gal(L/Q) « D^, the dihedral group of order 8. Basic finite group theory 
tells us that the center of the order 8 dihedral group is isomorphic to Z/2Z, and 
there are 4 other non-normal subgroups of order 2, forming 2 pairs, each with 2 
conjugate subgroups. 

Since K is of degree 4 over Q, K has four embeddings into C. As X is fixed 
by the complex conjugation p, we may group these four embeddings into two pairs: 
{</'i,</'2}, {4>i,4>2} such that (pi = (pip for i = 1,2. We have immediately (j)i{K) — 
(j)i{K). In fact there are two ways to form the 4 embeddings into two such pairs. 
We say that a pair of embeddings <I> = {01,02} is a CM type if 0i ^ (f>2P- Thus 
a pair of embeddings {01,02} is a CM type for a non- normal extension K if and 
only if 01 (A') ^ ip2{K). We now define the reflex of K following [TS] and |20j . 

Definition 5.1. Let K he a. non- normal degree 4 CM field. Then the following 
two fields are identical; it is called the reflex fleld of K with respect to the CM type 

* = {01,02}- 

(1) Q({0i(a;) + 02(a;):xei^}); 

(2) Q{{Mx)Mx) ■■ X e K}). 
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As L is dihedral of degree 8 over Q, we may assume that the Galois group 
Gal(L/Q) is generated by a and r, where a is an element of order 4 and r 
an element of order 2 with t~^(TT = . It is possible to choose a such that 
(j{4)i{K)) — 4>2{K) for a given CM type {(t>i,(t>2} of K. Let Kq be the maximal 
real subfield of Ki = (l)i{K). We assume that Ko = QiVd) for some square-free 
positive integer d. Note that there exists a non-zero element x G Ki such that 

e Kq. This x^ must be totally negative as Ki is a totally imaginary extension. 
Without loss of generality we may assume x to be an integer in Ki and we may 
thus write x = \/ —a — h\fd for some a, & G Z with a > 0, and c? — iP'd, > 0. Wc 
may also assume that gcd(a, 6) is square- free and d \ gcd(a,6). Further note that 

|l, y/d, \/—a — by/d, \/—ad — bd\/d^ is a Q-basis for K\. 

The action of cr takes y/d to —y/d and by our assumption that (j>2 = (Tcpi, a 
maps V—a — h\fd to \/ —a + h\fd. Hence |l, \fd, \/ —a + h\fd, \/ —ad + 6dv^| is 

a Q-basis for = 4>2{K). 

We now determine the structure of the reflex field of K with respect to the 
CM type {(j)i,(j)2}, say, K^. As V-a - b Vda{V- a - bVd) = y/^fl^^Wd e KI, 
the maximal real subfield Kq of KI is Q(Vc?~~Pd). By our assumption a^ — b'^d 
is positive, square-free. Also note that \/ — b'^d is not a rational multiple of Vd, 
since gcd(a, 6) is not divisible by d by assumption. Observe that 

\/-a - bVd + a{\l-a - bVd) = \l -2a + 2y/'a^ -b'^d e K{. 

Thus {l, - bH, y/ -2a + 2s/a^ -V^d, s/d^ - b'Hy/-2a + 2\/^2Trp^| jg a Q- 
basis for KI. 

Since {</>!, ^2/0} is the other CM-type not conjugate to {^1,^2}, we obtain an- 
other reflex field K2 of Ki with respect to {(j)\,(j)2p}- Observe that for any x €: K, 
we have 4>2p{x) = ap{(j)i{x)). Hence 

\P^a^^b\/d. + (jp{\J-a - bVd) = \J-2a-2y/a^ - b^d e K^. 

Thus {1, Va^ - b'^d, V'^2^^^27^^^Fl, Va^ - b'Hy/-2a - 2\/^2Trp^| jg a Q- 

basis for XJ. 

Note that Ki, K2, KI, K2 are all non-normal extensions. The only normal quar- 
tic subfield of L is the biquadratic real extension Q{Vd, Va^ — b'^d). 

Then we have the following descriptions of the non-trivial subfields of L. 

(1) L has three quadratic subfields, all of which are real subfields. They are 

• Ko = m Vd); 

• K^ = Q(V a^-b^rf); 

• K^"- = Q{^a^d-b^d^). 

(2) L has five quartic subfields. They are 

• Lq = Q(v^, \/ a^ — b'^d), which is a normal extension and the maximal 
real subfield of L and contains all three real quadratic subfields of L; 

• Ki = Q{ V-a-bVd ); 

• K2 = Q{V -a + bVd); 

• K[ = Q( V-2a-2Va^-b^rf ); 

• K^ = Cl{V-2a + 2Va;^-b'^d). 
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We give an explicit example of these fields. The following example is used in [19] 
for the construction of p-rank 1 genus two curves by the CM method. 

Example 5.2. Let K = Q[X]/{X^ + SAX'^ + 217), which is not Galois over Q. 
Note that explicitly, up to a fixed embedding of K into C, the four roots are ai — 
V~17~6V2, 02 = -V-17-6V2, /3i = \/-17 + 6y2, and ^2 = -\/-17 + 6V2. 
Note that ai and a2, Pi and /32, respectively are complex conjugates of each other. 
This field K , however, is not normal. To see that K is not Galois, note that the 
product of ai and /3i is — -\/217, which is a real number that is not in Kq, the real 
subficld of K . If we fix a root ai, then the other two embeddings not into K map 
a\ to /?! and /32 respectively. Let a denote the map that takes ai to /3i, and let p 
denote complex conjugation. In this case, there are two choices of non-conjugate 
CM types, i.e., $1 = {id, cr}, and <I>2{ id, crp\. The reflex field of K with respect to 
$1 and $2 are respectively 

Kl ^ Q(\/-17 + 6\/2 + \/-17-6V2, V2T7), 

and 

Kl = Q(\/-17 + 6\/2 - ^^-17- 6V2, ^217). 

Remark 5.3. In general, suppose we consider an irreducible polynomial X^-\-aX'^+b 
with integer coefficients a, & € Z and both roots r and s of X^ + aX + & are totally 
negative real numbers. Then the field K — Cl[X]/{X^ + aX^ + 6) is a quartic CM 
field with real subfield = Q[X]/{X'^ + aX + b) = Q(r) = Q(s). In addition, the 
four roots of X'^ + aX^ + b are obviously ^/r, —^/r, y^, — -y/s, respectively. Using 
similar argument to those in the above example, it follows that any one of the 
reflex field contains Q{\/r\/s) = Q(Vrs) as a subfield, i.e., Q{Vb) is Kq if b is not 
a square. 

Also note that X'^ + aX^ + b has two ways of factorizations into quadratic 
polynomials, in and K2 respectively: 

{5.1^^ + aX^ + b = {X^ + 2Vb - aX + Vb){X^ - \/ 2Vb - aX + Vb) 

(5.2) = {X^ + \J-2Vb -aX~ Vb){X^ - \J -2Vb - aX - Vb). 

We have the following lemma in the computation of the discriminant of a Weil 
p-number in a non-normal quartic extension i^T/Q. 

Lemma 5.4. Let n be a Weil p-number in a quartic cyclic extension K/C^. Let a 
be a generator of Gal{K/Cl) and p denote complex conjugation. Then 

(5.3) disc(7r) = p'[TrK/Q{{n - 7r'^)(^ - n-P j)? ' TrK./Q(7r7r-(^ - ^'')(7r'^ - tt^p)). 

Proof. The computational part of the proof is the same as in the proof of Lemma 
l4Jl It then suffices to show that (1) (tt - 7r'^)(7r - tt^p) e K; and (2) 7r7r'^(7r - 
TrP){Tr'' - TT-^P) e K^'. 

To see that (tt - 7r'^)(7r - tt'^p) e K, note that 

(tt - TT''){n - n^P) = TT^ - nin" + tt^p) + p. 

Since tt°' + n'^P £ Kq C K, we immediately have (tt - 7r°')(7r - tt'^p) e fC. 

Also note that by definition of K^, we have both tttt"' G and (tt — 7r'')(7r'^ — 
TT^P) e thus also mr^iTT ~ ttP){'k'' - tt'"'') e A'''. □ 
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To explicitly compute the discriminant of tt and the index of Z[7r,7f] in Ok, 
we need the following expressions for tt. If d = 1 mod 4, then we consider Weil 
p-numbers of the form 



(5.4) 7r = A + B \^ +Cy-a-bVd + D \^ \J-a-bVd. 

If d = 2, 3 mod 4, then we consider Weil p-numbers of the form 



(5.5) TT = A + BVd+C\J-a-bVd + DVd\J-a-bVd. 

We have the following result on the large prime factors of the index of Z[7r,7f]. 

Proposition 5.5. Suppose I is an odd prime with I > disc(_ftr) such that 

(i) l\C^ + CD + ^fdEEl mod 4; or 

(ii) l\C^-dD'^ifd = 2,3 mod 4. 

Then I divides [Ok ■ Z[7r,7f]]. 

Proof. We shall first show that in case (i), + CD + ^^D^ is a factor of (tt — 
7r^)^(7r — tt"')^, and is thus a factor of disc(Z[7r, tt]). Without loss of generality we 
may assume that the action of a is given by 



a : Vd t-^ -Vd, \/ -a - bVd t-^ \/ -a + bVd. 
Thus if TT takes the form (|5.4p . then 



(5.6) ttP = A + BVd - C\/-a - bVd - ^^ \l-a - bVd 

(5.7) tt" = A - + C\/-a + bVd + £> \/-a + 



(5.8) TT^P = A- BVd-C\/-a + byQ- ^ \/ -a + byQ 
Hence 



{tt - ttP){tt'' - TT^P) = {2C\l-a -by/d+2D ^ ^ \j -a - bVd\^ 

■ 1 2C\/-a + bVd + 2D ^ ~ ^ J -a + bVd 



= 4v/a2 - b^d{C^ + CD + ^j^D^). 

Note that I \ {C^ + CD + ^D'^) and / \ disc (if), then / must be a factor of 
disc(Z[7r, 7f]/disc(X), which shows that I \ [Ok ■ Z[7r,7f]]. 
Next we treat the case (ii). If tt takes the form (|5.5p . then 



(5.9) ttP = A + BVd-Cy-a-bVd-DVdJ-a-bVd 



(5.10) tt" = A- BVd + Cy-a + bVd- DVdy-a + bVd 



(5.11) tt"p = A- BVd-Cy-a + bVd + DVd\J-a + bVd. 
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These expressions give 



P = 2C\-a-bVd + 2DVd\-a-bVd 



TT^-TT^P = 2C\/-a + bVd-2DVd\/-a + bVd. 

Therefore 



{n - nP){T:'' ~ n'^P) = ( 2Cy -a - bVd + 2DVdJ -a - bVd 



2C V -a + bVd - 2DVdJ -a + bVd 



= -b^d{C^ -dD^). 

Thus wc finish the proof by a similar argument as in case (i) . □ 



6. Weil p-numbers with prime conductor in quartic cyclic extensions 

Let K/Cl be a totally imaginary quartic extension, denote by Kq its real subex- 
tension, and let tt be a Weil p-number in K , where p is an odd prime. In the previous 
sections, we have shown that if / = [Ok ■ Z[7r, tt]] is a prime number larger than 
80 bits, then the corresponding Jacobian of the genus two curve is isolated. In 
this section we derive a heuristic prediction for the asymptotic distribution of Weil 
p-numbers such that both p and / are prime numbers. In order to compute the 
index /, we need to assume that K has integral basis of the form shown in section 3. 
According to [211 [HI [23] , the following assumptions ensure that K has the desired 
form of integral basis. 

(i) Kq — Q{\/d), where d = 5 mod 8, and K = Q ^\/— a — b^/dj for some 
a,beZ. 

(ii) Any prime number I e Z that ramifies in K/Q also ramifies in Kq/Q. 

(iii) As Z-modules, 



Zezi (l + Vd) ® zi (l + Vd+ -a - bVd + e\J -a + bVd 



Ok 

®zi ^1 + - \/-a - bVd - e\/-a + bVd 
with e = 1 or — 1. 

Note that by (1), as K/Q is a cyclic extension, we have = {b^ + (?)d for some 
positive integer c. Since d is square-free, we have d \ a and we may write a = aod. 
For the simplest cases we note the following result. 

Proposition 6.1. Suppose aa = 1, b = 2 mod 4, d = 5 mod 8, then the above 
eonditions (i)-(iii) are satisfied for X = Q a — b^fdj . 

For a complete proof and detailed discussion, see [211 [Ml [22] ■ 

In the sequel we shall assume that the condition of Proposition 16.11 is satisfied. 

Thus ao = 1 and d = b^ + . Since tt is a Weil p- number, by (iii) we may write tt 

in the form 
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(6.1) TT = i + BVd + C\l-d - bVd + D^J-d + bVd^ , 
where A, B, C, D are integers satisfying the equations 

(6.2) p = ^(A^ + B^d + C^d + D^d) 

16 

(6.3) AB = -C^^-CDc + D^^ 

(6.4) / = ^\B{C^c-2CDb- D'^c)\ 

If we want both p and / to be prime numbers, we need to take B — ±1. The 
above equations then become 

(6.5) p = ^{[C'^ + CDc-D^^\ +C^d + D^d + d\, 




(6.6) / = -\C''c~-2CDb- D^c 



Lemma 6.2. In order that p and I are both integers, C and D need to be odd 
integers. 



Proof. First note that if both C and D are even integers, then by equation (|6.5p . 
16p is odd. Hence p is not an integer. 

Next we suppose that one of C and D is odd and the other is even. Note that 
c is an odd integer, as we assumed that c? = 6^ + is odd, and b is even. In this 
case C^c — 2CDb — D^c is odd, which yields that / is not an integer. □ 

We next show that if 3 divides c, then p and / cannot both be prime numbers 
other than 3. 

Lemma 6.3. If 3 \ c, then 3 | pi. 

Proof Note that If 3 | 6, then 3 | p and 3 | /. If 3 | 6, then d ^ b'^ + = 1 mod 3. 
Hence p = {C^ - D'^f + +0"^ + 1 mod 3 and / = \bCD\ mod 3. One then 
verifies that for all choices of congruence classes of C,D mod 3, we always have 
3 I / or 3 I p. Thus the desired assertion holds. □ 

As an immediate corollary, we have 



Corollary 6.4. Let p > 5 be a prime number, and K ~ \/ —d — b\fd satisfy con- 
ditions (i)-(iii), d = 13 mod 24, 3 | 6. Then there exists no Weil p-number tt G if 
.such that [Ok ■ Z[7r, tt]] is a prime number larger than 3. 

Proof. Since d — b"^ + c^, and d = I mod 3, 3 | 6, we have 3 | c. Hence by the 
above lemma, 3 | pi. As p > 5 is a prime number, we have 3 | / and therefore 
3| [Ox:Z[7r,7f]]. □ 

Remark 6.5. The only field with disc-f^o < 100 that has the property described in 
the above corollary is the field = Q {^\/~^ 13 - 2%/l3) . The next such field is 

K ^q, fv/-109- 10\/l09 
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It is convenient to write 

—c+^/d , , —c—\fd 



e = 



and e' = 



b b 
Note that e,e' G Kq, and ee' = —1. Wc also note that e and e' are Gal(i^o/Q)- 
conjugate. We may define a iCo-linear transformation from Ko[C,D] — >• iiToiC^, ^] 
as 

(6.7) U = C-eD 

(6.8) V = C-e'D 

Note that this Unear transform induces a hnear transformation from 7i/l'L[C, D\ — >■ 
7i/l7i\U,V], where I is an odd prime number, as long as is a quadratic residue 
modulo I and I \ b. This induced transformation is invertible if and only if I does 
not divide d. Based on the this transformation, wc deduce the following result on 
the factorization of p and /, regarded as polynomials in Kq \U, V] . 

Theorem 6.6. With U and V defined as above, we have the following factorizations 
in Kq. 

(6.9) p = lQc/^ + eVd)(^y^-£'v^' 

(6.10) I = lb\e'{U-eV){U + eV)\ 

8 

Proof. Both identities can be easily verified. □ 

It is convenient to define the following subsets of odd prime numbers. 

(1) Let Vc denote the set of odd prime numbers that split completely in K/Q. 

(2) Let Vs denote the set of odd prime numbers that split in Kq/Q, but do 
not belong to Pc- 

(3) Let Vi denote the set of odd prime numbers that are inert in K/Q. 

(4) Let TZ denote the set of odd primes that ramify in K/Q. 

Note that by assumptions (i) and (ii), TZ consists of the prime divisors of d. We 
have the following lemma on the prime numbers that divide p. 

Lemma 6.7. // / | p, then I eVc^TZ. 

Proof. Suppose that I divides p. We shall prove by contradiction that either I 
ramifies in K/Q or I completely splits in K/Q. If I is inert, then £ = IOk is a 
prime ideal in K. From £ | p = tttt we deduce that either £ | tt or £ | tt. Without 
loss of generality we may assume that L \ tt. Since £ is inert, we have £'^ = £ 
for all a G Gal{K/Q). Hence £ divides all the conjugates of tt, which shows that 
£|7r — tt'^ + tt — 7^^ = \/d. This yields that I ramifies in Kq/Q, a contradiction. 

Next we assume that I splits in Kq/Q as IOkq = hh, but remains prime in the 
extension K/Kq, for i = 1,2. Write £j = UOk for i = 1,2, which are both prime 
ideals in K. Note that £J = £2 and £3 = £1, where is a generator of Ga\{K/Q). 
From I \ p we deduce that tttt G £i£2 = £1 fl £2. Hence tttt G £i for both i = 1,2. 
Hence for each i = 1,2, £j divides one of tt or tt. However, as £j is invariant under 
complex conjugation, £i divides both tt and tt for both i = 1,2. Therefore both 
£1 and £2 divide all four conjugates of n, and thus so does £ = £1 fl £2. Hence 
£ I Vd, which yields a contradiction. □ 
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The next proposition gives the probability that a random prime number / divides 
/. We first prove the following lemma. 

Lemma 6.8. If I is an odd prime number such that I \ be and I f d, then I splits in 
Ko/Q. 

Proof. First note that d = b"^ + c^. If ^ | 6, then d = mod I. If ^ | c then 
d= b"^ mod /. Hence in both cases, is a quadratic residue modulo I. Thus the 
minimal polynomial of ^'^^ factors in Z//Z, and I splits in -fCo/Q by Kummer's 
theorem. □ 



Proposition 6.9. Let C and D be random odd integers. If I is an odd prime 
number, then 

( (1 - l/lf, if I splits in Ko/Q; 
(6.11) Prob(Z t ^) = (1 - 1/'^), if I is inert in Kq/Q; 

[ (1-1/0, ifl\d. 

Proof. First, if / splits in Kq/Q, then Vd G Z/ZZ. First, if we assume that Z | 6, we 
then have the factorization 

I=lb\e\U-eV){U + eV)\ modi. 
8 

Thus I \ I if and only if I \ U + eV or I \ U - eV . Since C mod / and D mod I 
are randomly chosen in Z/IZ, as I ^ d, the two factors U + eV and U — eV also 
range randomly in Z/IZ. Hence the probability that I divides each of the factors 
is l/l. Moreover, since C mod I and D mod I arc independent random variables, 
the probability that I divides both factors is l/l^. If / | 6, then I = j \cC^ — cD^| = 
l\c{C + D){C - D)\ modi. Thus Z divides 7 if and only if / divides C+D or C-D. 
Therefore in all the three cases we have Prob(Z f /) = 1 - 2/Z + l/Z^ = (l - l/lf. 

Next we consider the case when / is inert in Ko/Q. Note that in this case 
(i is a non-residue modulo l. We may write I = j 



Thus 



1 = mod l if and only if (C — ^Z))^ — ^D"^ = mod l, which is equivalent to 
C = D = mod I. This shows that l divides I if and only if I divides both C and 
D, which occurs with probability 1//^. Therefore Prob(Z \ I) = 1 — 1/P. 

If Z I d, then I = \{C - ^^Df mod I. Hence d | / if and only iil\C -\D. 
Since C — is a linear combination of C and D, I \ C — with probability 1/cZ. 
Therefore Prob(Z f 7) = 1 - 1/Z. □ 

We need the following lemma to prove our main result on the probability that Z 
does not divide either p or 7. 

Lemma 6.10. Suppose I is an odd prime number and I \ b. Then the following are 

equivalent. 

(i) l&Vc; 

(ii) — is a square modulo I; 

(iii) ^S-y^ is a square modulo I. 
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Proof. The equivalence (m) <^ [iii) is clear, as e ■ (— e') = — 1. It then sufSces to 
show that (i) (ii). 

{i) {a). Suppose / £ Vci then Kummer's theorem yields that v^— d ± b\fd G 
Z//Z. As \/ ~d~ h\fd + \/-d + bVd = \J -2d^2c\fd, we have -2d + 2cv^ is a 
square in Z/ZZ. Hence -'M^ = _ V-2d+2cx/d ^j^^ ^ square in Z/ZZ. 

(zi) ^ («). Suppose — is a square in Z/^Z, then 

\J-d-b^= i ^\/-2d + 2cVd- \/-2d - 2cv^^ G Z/ZZ. 
By Kummer's theorem, I splits completely in /iT/Q. □ 



Proposition 6.11. Suppose I is a prime number and I \ b. Then the probability of 
I not dividing either p or I is 



(6.12) 



Prob(Z-t-p and I \ I) = 



(l-3/o^ 
(1 - l/o^ 
(1 - lA'), 

1, 



^fl&Vi; 
ifl\d; 
if I = 2. 



Proof. First we consider the case when I G Vc- Note that in this case y/d G Ti/lX, 
and hence the transforms ()6.7p and ()6.8p are well-defined in TijVL. Since C and 
Z) are randomly distributed in 'L/l'L^ the pair ([/, also ranges randomly in the 
affine space yl^(Z/ZZ). To compute the probability, note that the condition / 1 / is 
equivalent to both I \ U ^ eV and I \ U — eV. Hence I \ I ii and only if the pair 
{U, V) G A'^{Z/IZ) is on neither the line U + eV = OnoT the line U-eV = 0. Since 
there are I points on each of the lines, and the intersection of the lines is (0,0), 
there are l"^ - 21 + 1 ^ (l ~ 1)^ points {U, V) in A^{Z/IZ) such that / \ I. 

Next we want to count the number of points in the subset {([/, V) G A'^{Z/lZ)\l \ p, I \ 
By Lemma 16.101 and Equation (|6.9p , p factors as 




Thus p is the product of four linear factors. Note that the zeros of ( U 



and the zeros of U 



are disjoint. Similarly, the zeros of V 



-2eVd 



2e'\fd 



and the zeros of ( y + \/ ^^77^ ) are also disjoint. Also note that the intersection 



of the zeros of yU ± y and the zeros of yV ± y ^^^J lies in the zeros of 

/. The following figure depicts the relation among these lines in A^{Z/IZ). 
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Since each line contains I points in ^^(Z/ZZ), and there are a total of six lines 
with five points of intersection (4 with multiplicity 3 and 1 with multiplicity 2), 
we conclude that the subset {([/, V) £ A^{Z/lZ)\l \ p, I \ /} contains - 6^ + 9 = 

(Z — 3)^ points. Then the probability that I does not divide either p or / is (1 - f ) . 

If I ^ Vc, then by Lemma [6.71 I cannot be a divisor of p and the probability 
that I does not divide either p or / is the same as the probability that / does not 
divide /, which is (l - \f if I G Vs, and (l - j^) if / G Vj. 

If Z I d, note that p = P mod I. Hence I divides p if and only if I divides /. 
Hence the probability of I dividing neither p or / is the same as the probability of 
I not dividing /, which is (1 — 1/Z). 

For the case 1 — 2, since X and Y are odd integers, we may write X — 2Xo + 1 
and Y — 2Yo + 1. It is then not hard to see that both p and / are odd integers. 
Hence we have 2 \ I and 2\ p, which completes the proof. □ 

We use the above Proposition to determine the correction factor for I \ b. For 
odd primes I \ b, we use the following result. 

Proposition 6.12. Let I be an odd prime divisor ofb. Then 



(6.13) PYoh{l ] p and I ] I) = 




Proof. Note that if Z is a divisor of 6, then 

/ = c\{C + D){C - D)\ modZ, 
p = c^{C^ + 1){D^ + 1) mod I. 

If Z = 1 mod 4, then —1 is a residue modulo I. Let be one of the square 

root of -1 in Z/IZ. Therefore Z | p if and only if C ee or D = ±v^. The 

set {(C, D) e A^iZ/lZ)\C EE or £> = ±\/^} consists of 4/ - 4 points. The 

set {(C, D)\I = 0} = {(C, D)\C + £> = or C - L> = 0} consists of 2Z - 1 points, 
with an intersection with the above set consisting of 4 points. Hence there are 
P -6l + 9 = {l- 3)2 points in A'^{Z/IZ) such that I \ I and I \ p. 

If Z = 3 mod 4, then —1 is a non-residue modulo Z. Hence p is not divisible by 
I. Therefore there are Z^ - 2Z + 1 = (Z - 1)^ points in A'^{Z/IZ) such that I \ I and 
l\p. □ 

The following table summarizes the correction factors according to the prime 
number Z. 
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prime number / 


correction factor c{l) 


I odd 


I totally splits in K/Q 

I splits into two primes in K/Q 

I is inert in K/Q 

I ramifies 


(i-2/{i-i)r 
1 

(l + 2/(/-l)) 


/ 1 b 
I odd 


I = 1 mod 4 
I = 3 mod 4 


{i-2/{i-i)r 
1 


1 = 2 




4 



Simply put, the probability that both p and / arc prime numbers is expected to 
be equal to 1/ log(p) log(/), which is the probability if both p and / are viewed as 
random numbers, multiplied by the global correction factor, which is the product of 
all correction factors corresponding to each prime I. We need to note the following 
lemma that ensures the convergence of the correction factor as an infinite product. 

Lemma 6.13. The infinite product 

(6.14) hm l[c{l) 

1<B 

converges conditionally if c{3) ^ 0, and it diverges to zero if c{3) = 0. 

Proof. First note that the only correction factor that could be zero is c(3), which is 
zero if and only if 3 S Vc ■ Now we assume that 3 ^ Vc a-nd show that the infinite 
product converges conditionally. Since the primes dividing b form a finite set, and 
those primes in Ps have no contributions to the correction factor, it suffices to show 
that the infinite product 



lim n n 

l<B,leVc l<B,l&Vi 

converges conditionally. 
First observe that 



c{l) = lim 



n 



i<B,ieVc 



1 



n 

i<B,ieri 



l-l 



n 

i<B,ieVc 

n 

i<B,ieVc 



1 - 



l-l 



n 



i<B,ieVi 



2 

1 - ^ 



n 

i<B,ieVi 



1 + ^ 



n 

i<B,ieVc 
(l 



{i-m-2) 
)) 



n 

i<B,ieri 
1 + 



(Z + 2)(/-l) 



^^T[l<B,leVc {l-l){l-2)) i.i.l<B,leVi \^ ' ((+2)(i-l) 

S DO, it then suffices to show that Okb leVc 
verges conditionally. Also note that 

2 



converges absolutely as 



) n 



i<B,ieVi 



(1 + f) 



con- 



n 

i<B,ieVc 

n 

i<B,ierc 



1 



1-i 



n 

i<B,ieVi 

n 

i<B,ieri 



1 



1 + T 



n 

i<B,ieVc 



{i-iy 



n 

i<B,ieVi 
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Since UiKBdeVc " (T^Tf) Ui<B,ieri (l " (ITTf) converges absolutely as B ^ 

cxD, it then suffices to show that YI^b leVc ~ l)^ Hkb leVi + l) converges 
conditionally. Note that 

n Hr n H 

i<B,ieVc ^ ' i<BjeVi ^ 

- n (-1) n ■n(-f 

where X the unique Dirichlet character modulo I of order two. Since ni<B (j- ~~ 

converges as 2 — oo, it then suffices to show that Hkb leVc ~ l) Hkb leVs (■'■ ~ t) ^ 
converges conditionally. Observe that 

n H) n 0-1 ' 

l<B,leVc ^ ' l<B,l£Vs ^ 

- n n n (-^ 

i<B,ieVc ^ ' i<B,ieVs ^ ' i<B,ieVs ^ 

Since Ui<B,ieVs " f) converges absolutely as 2: ^- oo, and Ui<B,ieVc ~ l) lli<B,ieVs 
converges conditionally by the Chebotarev density theorem, we conclude that the 
given infinite product converges conditionally. □ 

In the above discussion, we did not take into account the case where / divides 
p. However, computations show that / divides p with a very low probability when 
compared with the estimate error in the estimation by the prime number theorem. 



7. Examples 

7.1. K = Q(C5)- First we apply the theory in the previous section to Weil p- 
numbers in the field K = Q(C5)- Recall that the curve = + 1 has CM by 
K = Q(C5)- The ring of integers of K is Ok = Z[C5]. The prime p and the index / 
of a Weil p-number in K satisfy the following equations 

(7.1) p = ^{{X^+XY-YY+5X^ + 5Y^+5), and 

(7.2) / = ^\X^ -4:XY -Y'^\, 

where X and Y range among odd integers. Note that in order that both p and / are 
integers, X and Y must both be odd numbers. The corresponding Weil j> number 
is then 

7r= 1 (^-{X^ + XY-Y^) + ^/5 + X^-5 -2^5 + Y^-5 + 2^5^ . 

It is worth noting that tt is in fact contained in Ok- First we note that \/— 5 ± 2^5 G 
Z[^5]. This is because ^5 = cos(27r/5) + isin(27r/5), which yields that isin(27r/5) = 
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e Q(C5)- Hence v'-10±2y5 G Q(C5)- Note that 



-5 ± 2^5 = i (\J-lQ-2Vl ± ^-10 + 2V5j 



hence -\/~5 ± 2-\/5 e Q(C5)- Moreover, as \/— 5 ± 2-\/5 satisfies the monic polyno- 
mial + 10X2 + 5, we deduce that a/-5±2\/5 G Z[C5]. Obviously, 47r G ZfCs]. 
Thus it suffices to show that 47r is divisible by 4 in I^Q-]. Note that the norm of An 
is ((X2 +XY - Y^ f + 5 + 5X2 + 5y2^2^ ^t^^^ ^^^^ ^-^ow that 256 divides 
the norm of 47r, which follows from the fact that p is an integer. 

Therefore, for this field K = Q(C5) we have oq = 1, 6 = 2, c = 1, and d = 5. The 
only prime number that divides 6 is 2. The linear transformation for K is simplified 
as following, where for this field e = — The /Co-linear transformation from 

Ko[X,Y]^Ko[U,V] 



(7.3) 

(7.4) 



U = X+^Y 



V 



is well-defined in Ti/lZ, for odd prime numbers ? = 1,4 mod 5. Note that the 
determinant of this linear transformation is —V^ ^ as ^ ^ 5. Under this trans- 
formation, we have 



(7.5) 
(7.6) 



I = 



1 

16 
1 




1- V5 ^ \/5 + l ^2 



For the field K = Q(C5), 5 is the only prime that ramifies. A prime I completely 
splits in K/Q if and only if I = 1 mod 5. I splits in Kq/Q if and only if / = 1,4 
mod 5, and I is inert in K/Q if and only if ? = 2, 3 mod 5. Moreover, there is no 
odd prime divisor of b. Hence we have the following table of correction factors. 





Primes / 


Correction factors c{l) 


/ odd 


I = 1 mod 5 
I = 4 mod 5 
/ = 2, 3 mod 5 
I = 5 


(l-2/(/-l))2 
1 

(l + 2/(/-l))2 
5/4 


I = 2 




4 



The above correction factors are supported by computational results, as shown 
in the following tables, where the frequency are counted as X and Y range through 
odd numbers between 3 and 2001. Here for each prime number /, the predicted 
frequency is c{l){l — j) 

For prime numbers I = 1 mod 5, we have the following table. 
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Prime I 


Actual Frequency 


Predicted Frequency 


11 


0.529075 


0.528925620... 


31 


0.815797 


0.815816857... 


41 


0.859037 


0.859012493... 


61 


0.904074 


0.904058049... 


71 


0.917314 


0.917278318... 


101 


0.941494 


0.941476326... 


131 


0.954744 


0.954722918... 



For prime numbers I = 4 mod 5, we have the foUowing table. 



Prime I 


Actual Frequency 


Predicted Frequency 


19 


0.897545 


0.897506925... 


29 


0.932259 


0.932223543... 


59 


0.966391 


0.966388969... 


79 


0.974854 


0.974843775... 


89 


0.977649 


0.977654336... 


109 


0.981733 


0.981735544... 


139 


0.985659 


0.985663268... 


ambers ^ = 2, 3 mod 5, we have the following table. 


Prime I 


Actual Frequency 


Predicted Frequency 


3 


0.888444 


0.888888889... 


7 


0.979551 


0.979591837... 


13 


0.994071 


0.994082840... 


17 


0.996519 


0.996539792... 


23 


0.998064 


0.998109641... 


37 


0.999271 


0.999269540... 


43 


0.999471 


0.999459167... 


47 


0.999559 


0.999547306... 


53 


0.999639 


0.999644001... 



For the primes I = 2,5, the estimates is also confirmed by computation. 

The probability that both p and / are prime numbers is predicted by the following 
equation. 
(7.7) 

5 

Prob(p and / primes) — -j — — j lim JJ^ ( 1 — 

( = 1(5), i<2 



log p log/ 

The convergence is ensured by Lemma 16.131 
Computation shows that the constant C = Y[i= 



I - 1 



n 

e2,3(5),;<z 



1 



I - 1 



1(5) 



(l-I^)'nfe2,3(5) (i 



2 
/-I 



2.292.... The convergence of this infinite product is shown in the following table. 
Here we write C(z) =Y[ 



l=l(5),l<z 



z 


C(z) 


100 


2.24789155326159 


1000 


2.28832917493766 


10000 


2.28500490081341 


100000 


2.29169100450671 


1000000 


2.29206360346098 
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The following table summarizes the computational results comparing the pre- 
dictions with the actual numbers of pairs (p, /) such that both p and / are prime 
numbers. In the table both X and Y range between 1 and the bound. The discrep- 
ancy is computed as of Prediction/ Actual Number —1. 



Bound 


Actual Number 


Predicted Number 


Discrepancy 


200 


896 


918 


0.02455 


400 


2575 


2638 


0.02447 


600 


4833 


5002 


0.03497 


800 


7759 


7940 


0.02332 


1000 


11316 


11413 


0.00857 


1200 


15308 


15390 


0.00536 



Remark 7.1. We see from the above table that when the bound is relatively small 
the discrepancy gets larger. One possible reason might be the slow convergence 
of C{z). Note that when z is around 100, the value for C{z) is about 2% lower 
than Imiz^oo C{z). If we take the slow convergence of C{z) into consideration and 
redo the computation with the correction factor Jl;</ "^(0' get somewhat better 
agreement, as shown in the table below. 



Bound 


Actual Number 


Predicted Number 


Discrepancy 


200 


896 


908 


0.01339 


400 


2575 


2624 


0.01902 


600 


4833 


4980 


0.03041 


800 


7759 


7909 


0.01933 


1000 


11316 


11370 


0.00477 


1200 


15308 


15335 


0.00176 



For each prime number /, the probability that I does not divide a given number 
a; > Z is (1 — j). It follows from this intuition that the probability that an integer 
a; is a prime number is 

(7.8) U{^-}). 

1<X ^ ^ 

where the product is over all prime numbers I < x. However, this is not correct. 
Computations show that the product is less than the probability given by the prime 
number theorem, which is l/log(a;). The reason is that the divisibilities of x by 
distinct prime numbers I < x are not in fact independent. We may consider the 
following example. Consider x = 1000, then there are respectively [^^^y^J — 142, 
[loooj = 99, and [^\ = 76 integers less than 1000 divisible by 7,11, and 13. 
However the first number that is divisible by all the three primes is 1001. These 
situations give the discrepancy in the estimates by Equation (|7.8p . 
Merten's formulas suggest that 

where 7 « 0.57721 is the Euler constant. In the estimates above, we would like to 
multiply the correction factor up to the bound J*^ for correction factors involving 
I and up to the bound p*^ '' for correction factors involving p. Observe that for 
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almost all the cases we have p > I, hence we may rewrite the correction factor as 
(7.10) c{l;p,I)= n n ^fW' 

where 

Prob([jJ_andjj[p) 
^' ' (1-1/0' 
is the correction factor as above, and 

(7.12) c,{l) = -^^^YJW 
is the correction factor for I not dividing p only. 

We note the following result on the probability Prob(^ \p). 
Proposition 7.2. Let I be an odd prime number other than 5. Then 

(7.13) V.oh{l\p)=\ ^f l = \ mod 5; 

1, otherwise. 



Proof. As we have seen in the proof of Proposition 16.91 if Z = 1 mod 5, then p as 
a polynomial in X and Y factors into four linear factors. Note that the zeros of 
each polynomial factor represents a line in ^^(Z/?Z), and we have the figure below 
showing the zeros of p. 



Note that each line consists of I points. There are four intersections, each with 
multiplicity two. Therefore the zero of p consists of 4/ — 4 points, which shows that 
the probability of I not dividing p is ' """"^ = (1 — 2/Z)^. 

If / = 2,3,4 mod 5, then by Lemma [6.71 I does not divide p. Hence the proba- 
bility of I not dividing p is 1. Thus we finish the proof. □ 

We shall also note that 

Proposition 7.3. The infinite product 

(7.14) n c,{l) 

5<1<B 

converges conditionally as _B — > oo. 
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Proof. Note that by the above Proposition we have 



n cp(o 



5<1<B 



n 

5</<S,/ee1 (mod 5) 



n 



5<1<B 



Hence 

log n "^p^^) 



5<1<B 



E 21og(l 

5</<S,/=l (mod 5) 



5<;< 



Further note that 



E 2 

5<;<S,/=1 (mod 5) 

£ -7 

5<l<B,l=l (mod 5) 

E 

5<;<B,; = 1 mod 5 



2 4 



5</<B 



1 1 

5<1<B 

an absolutely convergent series. 



4 ^ 1 
7+ ^ 1 



5<1<B 



converges conditionally by Dirichlet's Density Theorem, which shows that the infi- 
nite product (|7.14l) converges conditionally. □ 



7.2. The field K = Q(v/-29 - 2^29). We now consider the field K = Q{\/-29 - 2^29) 
as an example. Note that the real subfield Kq = Q(-\/29), and disc(iir) = 29^. 
Hence the only prime number that ramifies in K is 29, which ramifies totally. By 
the Kronecker- Weber Theorem, K is the only quartic subfield of Q(C29)- Hence the 
factorization of primes in K/Q depends only on their residue classes modulo 29. 
Here is a table showing the splitting of prime numbers according to their residue 
classes. 



Factorization 


Residue classes modulo 29 


Totally Split in K/Q 


1,7,16,20,23,24,25 


Split in Kq/Q 


4,5,6,9,13,22,28 


Inert in K/Q 


2,3,8,10,11,12,14,15,17,18,19,21,26,27 


Ramifies in K/Q 






The correction factor for this field is 



The following table shows the discrepancies of the actual and the predicted 
numbers. 



Bound 


Actual Number 


Predicted Number 


Discrepancy 


200 


337 


330 


-0.02121 


400 


1028 


987 


-0.04154 


600 


1931 


1904 


-0.01418 


800 


3107 


3054 


-0.01735 


1000 


4491 


4421 


-0.01583 


1200 


6152 


5995 


-0.02618 
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7.3. The field K = Q(\/-37 - 6^37). We now consider the field K = Q(V-37- 6 
as an example. Note that the real subfield Kq = Q(v^), and disc(/r) = 37^. 
Hence the only prime number that ramifies in K is 37, which ramifies totally. By 
Kronecker- Weber Theorem, K is the only quartic subfield of Q(C37)- Hence the 
factorization of primes in K/Q depends only on their residue classes modulo 37. 
Here is a table showing the splitting of prime numbers according to their residue 
classes. 



Factorizaliou 


Residue (:lassc>s modulo 37 


Totally Split in K/Q 


1,7,9,10,12,16,26,33,34 


Split in Ko/Q 


3,4,11,21,25,27,28,30,36 


Inert m. K/Q 


2,5,6,8,13,14,15,17,18, 
19,20,22,23,24,29,31,32,35 


Ramifies in K/Q 






For this field, & = 6, hence the prime 3 divides 6, and it follows that the correction 
factor for 3 is 1. The correction factor for this field is 

^ ^ i&Vc ^ ' leVi ^ ' 

The following table shows the discrepancies of the actual and the predicted 
numbers. 



Bound 


Actual Numl)er 


Pr(H lifted Nuiul)(>r 


Diricr(>pancy 


200 


258 


266 


0.03101 


400 


785 


801 


0.02038 


600 


1559 


1547 


-0.00769 


800 


2457 


2485 


0.01140 


1000 


3584 


3600 


0.00446 
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